Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!rutgers!ames!ucbcad!ucbvax!EMBL.BITNET!OMOND From: OMOND@EMBL.BITNET (Roy Omond) Newsgroups: comp.os.vms Subject: *** Important message *** Message-ID: <8708030937.AA27261@ucbvax.Berkeley.EDU> Date: Fri, 31-Jul-87 12:56:39 EDT Article-I.D.: ucbvax.8708030937.AA27261 Posted: Fri Jul 31 12:56:39 1987 Date-Received: Tue, 4-Aug-87 01:33:14 EDT Sender: usenet@ucbvax.BERKELEY.EDU Distribution: world Organization: The ARPA Internet Lines: 52 Fellow System Managers, take heed of the following saga. Well, the well known patch to SECURESHR.EXE took a *long* time in coming to Europe. In fact, it took me several days to convince the local DEC people that there was a security loophole in VMS 4.5 ... *sigh*. Anyway, in the meantime, we got screwed around by German hackers (probably from the notorious Chaos Computer Club in Hamburg). Before I had the chance to install the patch, "they" managed to get in and did pretty well at covering their tracks. They patched two images, SHOW.EXE and LOGINOUT.EXE, so that a) they could login to *any* account with a certain password, which I'll not divulge, b) SYS$GW_IJOBCNT was decremented and c) that process would not show up in SHOW USERS. They have cost us a lot of real money by using our X.25 connection to login to several places all round the globe. I have done my best to notify per PSImail those VAX sites that were accessed from our hacked system. I pray (and pray and pray ...) that no other damage has been done, and that I'm not sitting on a time bomb. Anyway, the following information might help others to check if they have been tampered with: Use CHECKSUM to perform a checksum of LOGINOUT.EXE and SHOW.EXE as follows: $ Check Sys$System:Loginout.Exe $ Show Symbol Checksum$Checksum if you get the value 3490940838 then you're in trouble. $ Check Sys$System:Show.Exe if you get 1598142435, then again you're in trouble. Now something I'm a bit unsure about whether I should publicise : Two persons with known connections with the Chaos Computer Club in Hamburg who I know have distributed the patches mentioned above (and in my opinion are to be considered along with the lowest dregs of society) I will name here : Claus Traenkner (at our own outstation of the EMBL in Hamburg) and Stefan Weirauch (at the Univ. of Karlsruhe) in the hope that someone somewhere will a) be saved some hassle from them and b) might perform physical violence on them. Jeez, I'm scared ... Roy Omond System Manager etc. European Molecular Biology Laboratory, Heidelberg, West Germany.